Professional Documents
Culture Documents
Framework
2 Purpose
This Framework outlines the requirements and processes supporting Council’s Risk Management
Policy. It will:
a) Align with the objectives of the Risk Management Policy;
b) Establish roles and responsibilities for managing risk;
c) Establish a standardised, formal and structured process for assessment, treatment and
monitoring of identified risks;
d) Encourage innovation by integrating risk management into the strategic and operational
processes across all departments of Council;
e) Ensure Council maximises its opportunities, while minimising any negative impacts identified
during the risk management process;
f) Ensure all risks outside the defined risk tolerances are escalated to the relevant manager and
additional treatment options implemented;
g) Ensure that (standard) reporting protocols are established for information dissemination across
all Council departments; and
h) Assist in the development of a continuous improvement culture by integrating risk management
processes into all Council functions.
In South Australia, certain insurable Council risks have been transferred to a number of self-
managed schemes managed by Local Government Risk Services (LGRS) via payment of an annual
contribution. The schemes are:
a) Local Government Association Mutual Liability Scheme (LGAMLS) for the purposes of Civil
Liability coverage and claims management;
b) Local Government Association Workers Compensation Scheme (LGAWCS) for the purposes of
workers compensation coverage and claims management; and
c) Local Government Asset Mutual Fund (LGAMF) for the purposes of asset and fleet coverage and
claims management.
As a member of all these schemes and the LGAMF, Council must ensure that WHS, asset and risk
management protocols are developed, endorsed and implemented across all departments.
4 Risk Management Principles
The international standard for Risk management - Guidelines (ISO 31000:2018) describes risk as:
“…the effect of uncertainty (either positive, negative or both) on objectives…”
The goal is not to eliminate all risks, but rather to manage risks involved in Council’s functions and
services and to create and protect value for our stakeholders and community.
ISO 31000:2018 is based on the following eight principles, which underpin this Framework and guide
how we manage risk across Council:
Integrated An integral part of all organisational processes
Part of decision making Aids decision makers in making informed choices and
identifying the most effective course of action
Best available information Based on historical and current information, as well as on future
expectations, taking into account any limitations associated with
such information and expectations
Human and cultural factors Recognises that the behaviour and culture can significantly
influence the achievement of objectives
Integration
Improvement Design
Leadership &
commitment
Evaluation Implementation
Council and its leadership team will demonstrate leadership and commitment to ensure that risk
management is integrated into all organisational activities by:
a) Developing and implementing risk management policy, framework and supporting tools and
processes;
b) Allocating appropriate resources for risk management; and
c) Assigning roles, authorities, responsibilities and accountabilities with respect to risk
management and communicating these at all levels of the organisation.
5.2 Integration
This Framework provides the methods and processes Council uses to manage risks and identify
opportunities in every part of the organisation.
Governance guides the direction of the organisation and provides the rules, processes and practices
necessary for Council to achieve its objectives. Management structures that define risk management
accountability and oversight roles across the organisation are critical to achieving the strategy and
objectives required for Council to achieve sustainable performance and long-term viability.
Risk Management is not just about the risk assessment process nor is it a stand-alone discipline. To
maximise risk management benefits and opportunities, it requires integration through Council’s
entire operations, as follows:
Strategic &
business plans/
decisions
Information/
Legislative
Data compliance
management
Business
continuity &
Internal audit
disaster
recovery
Emergency
management
Strategic and business planning, including long-term financial planning and annual
budget setting, must consider risks facing Council in setting and pursuing its objectives
and the effectiveness of systems in place to manage and communicate those risks.
Risk Management is integrated into governance structures, including decision making.
Risk assessment and management processes are incorporated into Council and
Committee reports, where there is a potential impact on achievement of Council’s
objectives or on the wider community.
Council members are expected to:
a) Give adequate consideration to risks when setting Council’s objectives;
b) Understand the risks facing Council in pursuit of its objectives;
c) Oversee effectiveness of systems implemented by the organisation to manage risk;
d) Accept only those risks that are appropriate in the context of Council’s objectives;
e) Consider information about such risks and make sure they are properly
communicated to the appropriate stakeholder or governing body.
Councils are subject to the Local Government Act (SA) 1999 along with a range of other
Acts, Regulations and Codes of Practice and Standards. Council has implemented a
Work Health and Safety (WHS) system to manage health and safety risks to workers and
members of the public, in accordance with the WHS Act (SA) 2012. WHS is a critical
component of Council’s risk management system and addresses risks facing workers
conducting their specified duties.
Risk exposures vary according to the functions, facilities and services Council provides
and these change over time. Council’s processes will address both the risks associated
with provision of functions, facilities and services (e.g. capacity and resources) and risks
arising from their delivery (e.g. public safety and community reaction).
Council plans for, and undertakes, prevention, preparedness, response and recovery
activities to support its community in the event of emergencies and natural disasters.
This process includes alignment and co-operation with lead agencies and other Councils
in the region as well as providing information and training for workers to protect them
from harm while responding to emergencies and natural disasters.
Council is obliged to ensure that critical business functions continue after a business
interruption. Council has developed its BCP, taking into consideration reasonably
foreseeable risks and their potential impact on achievement of Council’s objectives. The
BCP is designed to manage risk by limiting or reducing the impact of a disruption, (such
as severe weather event or loss of key personnel), and enable the resumption of critical
business functions/services of Council following a disruption.
Both risk and performance management start with establishing and communicating
corporate goals and objectives and developing strategies which are then cascaded
throughout the organisation. Appropriate measures and reporting structures will be
put in place to monitor the effectiveness of Council’s risk management processes (at
individual/organisational level), which will in turn help identify gaps or emerging risks.
Critical to the achievement of Council’s objectives is that it retains data and corporate
knowledge, and there are regulatory requirements to do so (under the State Records
Act 1997, Commonwealth Privacy Act 1988 and Freedom of Information Act 1991).
Council’s records may be vulnerable to cyberattack, malicious intent or unauthorised
release, should appropriate risk mitigation strategies not be in place.
5.3 Design
Those involved in risk management processes must understand factors internal and
external to Council that may influence its ability to achieve its objectives. Council’s risk
management culture, organisational structure, strategy and objectives are factors that
define Council’s internal context. The external environment may include a range of
factors including (but not limited to):
a) Increased legislative and compliance requirements;
b) Reduced funding from State government;
c) Community expectations; and
d) Social, cultural, political, technological, economic, natural and built environment.
The following risk management roles and responsibilities ensure a transparent approach
to managing risk within Council.
Roles Responsibilities
Council • Endorse Council’s Risk Management Policy
• Review and consider any report or recommendations regarding the
Risk Management Framework
• Ensure risks are adequately considered when setting Council’s
strategies and objectives
• Understand risks facing Council in pursuit of its objectives
• Ensure there is a systematic and effective approach to managing
risk and opportunity across Council operations that is
implemented, monitored and communicated
• Apply risk management principles to decision making
• Monitor Council’s strategic risks
Chief Executive • Promote a strong risk management culture by providing firm and
Officer (CEO) visible support for risk management including ensuring appropriate
accountability for risk management
• Ensure a customised policy and framework are in place and
implemented that deliver a consistent approach to risk
management
• Ensure appropriate resources are allocated to managing risk
• Ensure managers have necessary knowledge and skills to effectively
fulfil risk management responsibilities and are accountable for risks
arising from activities of their departments
• Regularly review Council’s strategic and operational risks
Roles Responsibilities
Management • Commitment to, and promotion of, the Risk Management Policy
Executive Team and Framework
• Monitor Council’s overall risk profile and mitigation strategies
• Ensure that risk management is embedded into all critical functions
and activities
• Ensure documentation of items on the risk register and ongoing and
regular reviews of the risk register including the actioning of any
overdue risk treatments
• Include risk treatments into departmental plans
• Empower staff to actively be involved in managing risk
• Promote a proactive risk culture in accordance with business
management initiatives
• Regularly review risks on the risk register (at least annually)
• Review Council’s Strategic Risks
Corporate • Provide guidance and assistance to staff in relation to this
Services framework and reporting within the Risk Register
Manager • Ensure relevant risk information is reported and escalated to the
Management Team or Audit Committee or cascaded to staff
• Maintain the Risk Management Policy and Framework to ensure its
currency and accuracy
• Maintain the Risk Register and timeframes as required
• Provide support and advice to managers and staff in the application
and use of the Risk Management Framework
Employees, • Understand the risk management processes that are integrated into
Volunteers & all Council activities
Contractors • Identify, evaluate, report and manage risks in their daily activities
and projects
5.4 Implementation
This framework is supported by a plan that includes timeframes and resource requirements
and processes for engagement with, and provision of information to, stakeholders.
5.5 Evaluation
Council will undertake periodic reviews of its risk management framework to ensure it
remains meaningful and current.
5.6 Improvement
Council will monitor and adapt its framework, with a view to continually improve the
suitability, adequacy and effectiveness of the risk management process.
6 Risk Management Process
Good risk management practices ensure Council can undertake activities knowing that measures are
in place to maximise the benefits and minimise the negative effect of uncertainties.
Risk management involves both the management of potentially adverse effects as well as the
fulfilment of potential opportunities. The risk management process is an integral part of
management and decision-making. The dynamic and variable nature of human behaviour and
culture should be considered throughout the risk management process.
Although the risk management process is often presented as sequential, in practice it is iterative.
Establishing communication and consultation with internal and external stakeholders is critical to
the success of the risk management process. Effective communication and consultation throughout
the process is essential to ensure that those responsible for implementing risk management, and
those with a vested interest, understand the basis on which risk management decisions are made
and why particular actions are required.
Council will engage with stakeholders throughout the risk management process to:
a) Correctly identify risks and understand context;
b) Gain a better understanding of the views and interests of stakeholders and how their
expectations may be managed;
c) Capitalise on the diversity of knowledge, opinions and experience to enhance identification and
management of risks and opportunities; and
d) Build a sense of inclusiveness and ownership amongst stakeholders,
6.2 Scope, context and criteria
Because the risk management process is applied at different levels throughout the
organisation, it is important to define the scope including:
a) Goals and objectives of risk management activities;
b) Proposed outcomes and timing;
c) Responsibilities and accountabilities for the risk management process;
d) Risk management methodologies;
e) Processes, activities and projects and how they may interact with other processes,
activities and projects of Council;
f) How effectiveness and/or value will be measured and monitored; and
g) Availability of resources to managed risk.
6.2.2 Defining the context
Defining the context is important because risk management takes place in the context
of Council’s objectives and activities and organisational factors can be a source of risk.
The context should reflect the specific environment of the activity to which the risk
management process is to be applied, and consider the factors outlined in 5.3.1.
Risk criteria are used to evaluate the significance of risk and are reflective of Council’s
values, objectives and resources and the views of its stakeholders. Council’s risk criteria
are documented throughout this framework and its appendices.
While risk criteria are established at the beginning of the risk management process,
they are dynamic and should be continually reviewed and amended, if necessary.
The aim of risk identification is to develop a list of events that may occur which - if they do -
are likely to have an impact on the achievement of Council’s objectives, as stated in its
Strategic Management Plans. Council identifies, assesses and treats risk in three groups:
Strategic Risks associated with high level strategic goals that align to Council’s
Strategic, Annual and Business Plans. Strategic risks may affect the
achievement of Council’s corporate objectives. They are key issues for the
management and impinge on the whole business rather than a business unit.
These risks can be triggered from within the business or externally. In other
words they may prevent the organisation from achieving its strategic goals.
Operational Risks associated with departmental functions and daily operations to deliver
services. Often the risks are cost overruns, supply chain/logistic issues,
employee issues, fraud, WHS, non-compliance to policies and procedures.
Project Risks associated with project management that may affect milestones
connected to delivering a specific project.
Risk identification is a process of formally documenting the effects of uncertainty on
objectives. The aim is to work with stakeholders, where relevant, to generate a list of risks
based on impacts or events. During the identification process, there are a number of
questions that need to be asked to capture the information required:
a) What might happen/ what could go wrong?
b) What is the cause?
c) How does this affect the objective?
After a risk is identified, it is captured in the Risk Register in these categories:
Financial/
Strategic Governance Legal
procurement
HR/
Public WHS Asset
organisational
Environmental Information
Risk identification must be comprehensive as risks not identified are excluded from further
analysis. Care must be taken to identify and define risks, rather than causes or consequences.
Not all risk types for Council are the same in terms of their acceptability. Once a risk
has been analysed, it needs to be compared to Council’s tolerance levels. Tolerance
can be described as the organisation’s readiness to bear each of the risks (after
implementation of controls) in order to achieve its objectives.
If the assessed risk level is above the tolerable level for that category of risk then
treatment may be required. If it is equal to, or below, the tolerable level for that
category of risk then the risk can be accepted (provided controls are implemented).
The tolerance level for each residual risk specific to Council and its objectives is:
Zero Willingness to accept no risk at all
Low Willingness to accept very little risk
Moderate Willingness to accept some reasonable risk
High Willingness to accept a high level of risk
6.3.3 Risk Evaluation
Risk evaluation is the process used to help make decisions about which risks need
treatment and the priority for applying controls. Decisions should include consideration
of tolerance of the risks borne by parties other than Council. There are also
circumstances when, despite the risk level, risks cannot be treated. Refer Appendix E.
Risk treatment can be conducted using a variety of methods. When looking at risks,
treatments are aimed at reducing or removing the potential for consequences occurring.
When looking at opportunities, treatments look at ensuring that consequences are realised.
Risk treatment involves selecting one or more options for modifying risks, and implementing
those options. Once implemented, treatments provide or modify the controls. An action
should be implemented to treat certain risks.
Justification for risk treatment is broader than economic considerations and should take into
account Council’s obligations, voluntary commitments and stakeholder views. Appropriate risk
treatment options should have regard to Council’s objectives, risk criteria and resources.
Council will tolerate a level of risk, in accordance with the risk tolerances set out in Appendix
E. Any risk that is rated at or below a tolerable level of risk should be monitored and reviewed
in line with relevant department processes and systems as discussed in Section 6.3.2.
Risk treatments need to be sufficient to mitigate that risk, and must have some of the
following characteristics if they are to become an adequate control:
a) Documented (e.g. Policies, procedures, task lists, checklists)
b) Systems-oriented (e.g. integrated and/or automated)
c) Preventative (e.g. system controls) or detective
d) Consistent and regular (including during staff absence)
e) Performed by competent and trained individuals
f) Clear responsibility and accountability
g) Create value (i.e. benefits outweigh costs)
h) Achievable for the organisation (based on available resources)
i) Evidenced
j) Confirmed independently
Risk treatment plans specify how the treatment options will be implemented, so those
involved understand what arrangements are in place and to allow progress to be
monitored. Risk treatment plans may be integrated into Council’s existing processes,
(e.g. project management plans, risk registers) and provide the following information:
a) Rationale for selection of treatment options;
b) Responsibilities and accountability for approving and implementing the plan;
c) Proposed actions and timeframes;
d) Resourcing requirements;
e) Constraints and contingencies; and
f) Required reporting and monitoring.
6.5 Monitoring and Review
Monitoring and review must be a formal part of the risk management process and
involves regular checking of effectiveness and efficiency of the processes implemented.
A monitoring and review process will:
a) Ensure that implemented controls are effective and adequate;
b) Provide further information to improve risk assessment and treatment plans;
c) Allow for the identification of emerging risks;
d) Identify (new) activities that may influence established strategies to mitigate risks.
It is essential to monitor all activities and processes to capture any new or emerging
risks arising from the changing environment (internal/external) and Council activities.
Monitoring and review guidelines and timeframes are captured in the Risk Reporting
structure. See section 8.
Due to the dynamic nature of most projects, a risk may change over the lifecycle of the
project, triggering the need for reassessment. The monitor and scheduled review
process allows for validation of risks to ensure they remain relevant and adaptation of
project plans as necessary. Any changes in risks throughout the project and after its
completion should be recorded and used for future project planning.
The review of Council’s risk management framework and processes will be scheduled
for completion within three years from endorsement.
7 Recording and reporting
7.1 General
The risk management process and its outcomes are documented and reported to:
a) Communicate risk management activities and outcomes;
b) Provide information for decision making;
c) Continuous improvement;
d) Assist interaction with stakeholders, including those with responsibility and accountability
for risk management activities.
Records will be managed and retained in accordance with State Records General Disposal
Schedule for Local Government.
The Risk Register enables Council to document, manage, monitor and review strategic, project
and operational risk information in order to build a risk profile and provide direction on how
to improve risk management processes. The Risk Register can be used to monitor whether,
using the approach outlined in this framework, the risk management process for opportunities
is resulting in an increasing trend towards potential for success and less risk with negative
consequences.
Council will identify and record strategic risks on the Risk Register. Strategic level risks
are identified by the Management Team and the Council, as part of an annual review at
a minimum. Any risks identified at the strategic level may be reflected in other
corporate documents e.g. Strategic Plan, Annual Business Plan, Asset Management
Plans and mitigated through action details in these documents, however these should
be collated in the Risk Register for ease of monitoring and review.
Recording and reporting of strategic level risks is the responsibility of the Corporate
Services Manager via the Management Team and Audit Committee.
Council will record and maintain operational risks on the central Risk Register, which is
reviewed at least annually by Departmental Managers. The Risk Register will
incorporate departmental risks and proposed mitigation techniques, as determined by
the evaluation process. Recording operational level risks in the register and reporting of
implementation and effectiveness of controls is the responsibility of Managers and
workers.
Project level risks can be identified by anyone at any time prior to, and during, specified
projects and are recorded within the Risk Register. Project level risks must be identified
during the planning process, however can be added as and when necessary. Recording
and reporting of project level risks rest with the identified project owner.
7.3 Risk reporting
7.3.1 Purpose
Risk based reports will draw data from the Risk Register and provide monitoring and
profile information to Council, Audit Committee and the Management Team in order to:
a) Understand the risk exposure of the Council;
b) Identify risks that require increased attention and action;
c) Provide risk information to the Council, especially anything affecting the Strategic
Management Plan;
d) Provide information to all workers at all levels to make risk informed decisions; and
e) Improve the Risk Management awareness and culture at Council.
7.3.2 Content
8 Training
8.1 Workers: this framework and supporting policies and tools will be made available to all
workers through the intranet. Council’s Training Needs Analysis (TNA) is a tool used to:
a) Capture legislative training and/or licencing requirements, and
b) Identify individual tasks within specific jobs and the core competencies required for the
safe performance of those jobs.
Risk Management awareness training is captured on Council’s TNA, to ensure the effective
implementation of this Framework. Risk Management is overarching across all functions, not
as a specialist skill that is owned by a designated risk management position. Risk management
awareness will be provided by Council to relevant workers and will take into consideration the
role of the worker within the Risk Management Framework.
8.2 Elected Members: Elected Members are key strategic decision makers and it is imperative
they understand the Risk Management Policy and Framework and their role in informed
decision making based on sound risk management principles. Risk Management awareness
training will be scheduled within 12 months of Council elections.
8.3 Audit Committee: Audit Committee members should, as a minimum, understand their roles
and responsibilities as outlined in Council’s Risk Management Policy and Framework, including
the monitoring and review of risk management reports and outcomes from management and
external auditors.
9 APPENDICES
CONSEQUENCE
Level Descriptor Financial People Reputation Environmental Service Delivery
1 Catastrophic Significant financial loss Major injury/ Potential national media Major loss of Major interruption to
(> $600k). Loss of disablement or death. attention. Prolonged environmental delivery of all or most
Business operation. Long term effect on media/ political amenity; irrecoverable services for more than
Multiple financial year morale and business attention. Irreparable environmental 14 days. Full BCP
impact performance reputation damage damage action required.
2 Major Major financial loss Serious Long Term Regional or State wide Severe loss of Major interruption to
($250-$600k). Major Injury. Temporary media attention. Public environmental services, customer
impact on Business disablement. interest. Long term amenity, danger of impact 7 – 14 days.
Operations. Multiple Significant impact on effect on reputation continuing Full or partial BCP
financial year impact. morale and business environmental action may be needed.
damage
3 Moderate Moderate financial loss Significant Injury Significant Media Moderate impact to Moderate Interruption
($60-$250k). Moderate requiring medical Attention. Significant environment. to service delivery.
impact to business attention. Short Term Public interest. Potential Localised damage that Customer impact up
operations. May effect on morale and for adverse local media has potential to to 48 hrs. Partial BCP
impact beyond current business or potential attention spread and reversed action may be needed
financial period with intensive efforts
4 Minor Minor Financial Loss Minor Medical Some local media or Minor impact to Minor interruption to
($10-$60k). Minor attention. Negligible political attention. environment. Can be a service with minimal
financial disruption/ impact on morale Community concern – reversed in the short impact to
variation to budget little adverse effect term customers/business
5 Insignificant Negligible Financial No Injury/First Aid No Media or Political Minor Instance of Interruption to a
Loss (< $10k). No real only. No impact on Attention. Some local environmental service – no impact to
disruption to business morale complaints damage. Can be customers/business
reversed immediately
9.3 Appendix C: Likelihood Table
LIKELIHOOD
A Almost Certain Expected to occur at times of normal operations (more 90% chance
than once per year)
B Likely Will occur at some stage based on previous incidents 50% to 90% chance
C Possible Not expected to occur but could under specific 25% to 50% chance
circumstances
D Unlikely Conceivable but not likely to occur under normal 5% to 25% chance
operations (no previous occurrence)
Consequence
Likelihood
1 2 3 4 5
A (Almost Certain) E E H H M
B (Likely) E E H M M
C (Possible) E H M M L
D (Unlikely) E H M L L
E (Rare) H M L L L
9.5 Appendix E: Managing Risk
EXTREME • Escalate risk issue immediately to Chief Executive Officer / Management Executive
• Add risk to Council’s Risk Register
• Chief Executive Officer / Management Executive to:
o Refer risk to risk owner
o Identify and develop treatment strategies for immediate action
o Monitor and review actions/strategies
o Provide direction and information to relevant stakeholders